Merge pull request #46 from bytedance/add-chmod-rule

Combine similar syscalls in the `disable-chmod-x-bit` rule
bytedance · Mar 28, 2024 · b4e7da1 · b4e7da1
2 parents 07b4c34 + daa0c5b
commit b4e7da1
Showing 1 changed file with 3 additions and 53 deletions.
diff --git a/internal/profile/seccomp/seccomp.go b/internal/profile/seccomp/seccomp.go
@@ -77,33 +77,8 @@ func generateAttackProtectionRules(rule string, profile *specs.LinuxSeccomp) {
 
 	switch rule {
 	case "disable-chmod-x-bit":
-		fchmodat2 := specs.LinuxSyscall{
-			Names:  []string{"fchmodat2"},
-			Action: specs.ActErrno,
-			Args: []specs.LinuxSeccompArg{
-				{
-					Index:    2,
-					Value:    unix.S_IXUSR,
-					ValueTwo: unix.S_IXUSR,
-					Op:       specs.OpMaskedEqual,
-				},
-				{
-					Index:    2,
-					Value:    unix.S_IXGRP,
-					ValueTwo: unix.S_IXGRP,
-					Op:       specs.OpMaskedEqual,
-				},
-				{
-					Index:    2,
-					Value:    unix.S_IXOTH,
-					ValueTwo: unix.S_IXOTH,
-					Op:       specs.OpMaskedEqual,
-				},
-			},
-		}
-
 		fchmodat := specs.LinuxSyscall{
-			Names:  []string{"fchmodat"},
+			Names:  []string{"fchmodat", "fchmodat2"},
 			Action: specs.ActErrno,
 			Args: []specs.LinuxSeccompArg{
 				{
@@ -127,33 +102,8 @@ func generateAttackProtectionRules(rule string, profile *specs.LinuxSeccomp) {
 			},
 		}
 
-		fchmod := specs.LinuxSyscall{
-			Names:  []string{"fchmod"},
-			Action: specs.ActErrno,
-			Args: []specs.LinuxSeccompArg{
-				{
-					Index:    1,
-					Value:    unix.S_IXUSR,
-					ValueTwo: unix.S_IXUSR,
-					Op:       specs.OpMaskedEqual,
-				},
-				{
-					Index:    1,
-					Value:    unix.S_IXGRP,
-					ValueTwo: unix.S_IXGRP,
-					Op:       specs.OpMaskedEqual,
-				},
-				{
-					Index:    1,
-					Value:    unix.S_IXOTH,
-					ValueTwo: unix.S_IXOTH,
-					Op:       specs.OpMaskedEqual,
-				},
-			},
-		}
-
 		chmod := specs.LinuxSyscall{
-			Names:  []string{"chmod"},
+			Names:  []string{"chmod", "fchmod"},
 			Action: specs.ActErrno,
 			Args: []specs.LinuxSeccompArg{
 				{
@@ -177,7 +127,7 @@ func generateAttackProtectionRules(rule string, profile *specs.LinuxSeccomp) {
 			},
 		}
 
-		profile.Syscalls = append(profile.Syscalls, fchmodat2, fchmodat, fchmod, chmod)
+		profile.Syscalls = append(profile.Syscalls, fchmodat, chmod)
 	}
 }